The Microsoft 365 Defender suite of technologies offer powerful solutions to protect, detect and respond to threats to your organisation.
Microsoft has been developing their portfolio of security technologies at a rapid pace over the last few years and they’re not slowing down!
I think it’s fair to say that Microsoft, given the adoption of services such as Office 365, Windows 10 and Azure, are in a unique position. Having access to the telemetry, and being able to build security solutions natively into their services, presents a great opportunity to provide enhanced security capabilities.
Microsoft offer several advanced threat technologies that focus on specific areas within your IT environment. Individually, they provide advanced protection, but together they give you the highest possible level of protection – enabling you to see the complete chain of events during an attack.
We often see confusion around these technologies – especially since Microsoft rebranded Microsoft Threat Protection and the advanced threat protection technologies included within it. As a result, some think Microsoft 365 Defender is a single technology and others are not clear on what it actually covers.
This blog will aim to clarify the technologies included in Microsoft 365 Defender and what they offer. Understanding this is critical when developing your security strategy.
Let’s dig into what the Microsoft Defender technologies are and what they each bring to the table.
There are three key Defender technologies:
Microsoft Defender for Endpoint is a technology that, unsurprisingly, focuses on your endpoints. Specifically your desktop devices and your Windows servers.
The technology is built into Windows 10 and requires only policy to be deployed to activate it – on Windows 7 and above (including Server), it requires agent software to be deployed.
Microsoft has made it clear that their key focus is on enabling Windows Defender for Endpoint in Windows 10 and have provided the capability on down-level operating systems to ensure that you have complete coverage during your migration to Windows 10.
Microsoft Defender for Endpoint is Microsoft’s offering in the Endpoint Detection and Response (EDR) area.
Microsoft Defender for Endpoint provides detailed monitoring of your endpoints and aims to detect known or suspected malicious activities. This capability is based on intelligence provided through the Microsoft Security Graph, which is continuously updated with new intelligence and machine learning knowledge.
Couple Microsoft Defender for Endpoint with the security components of Windows 10, such as Exploit Guard and Windows Defender, and you have comprehensive threat protection to protect your endpoints. Malicious processes and actors will typically gain access to your environment by exploiting your endpoints.
Microsoft Defender for Endpoint also provides automated investigation activities that reach out to various endpoints to gain further insight into the suspicious activity. This greatly reduces the time taken to investigate and enables you to get to the root cause quickly and more efficiently.
Microsoft Defender for Endpoint is managed and monitored through a cloud-based portal that provides additional visibility such as risk posture, recommended configuration changes and the ability to create security tasks that your IT admins can then action.
You’ll also benefit from regularly added new features and improvements, such as the addition of web content filtering. Whilst this originally required an additional partner license, Microsoft has now included it within Defender for Endpoint as standard.
Microsoft Defender for Office 365 is a threat protection technology that protects e-mails and data contained within Office 365 in places like SharePoint Online, Teams and OneDrive for Business. Its aim is to provide zero-day protection against malware.
It works by analysing files within a detonation chamber to try and understand what the file would do when a user opens it. If it detects suspicious activities it will block the file.
“Phishing attacks are on the rise and can be very effective in encouraging end users to surrender their credentials or other types of data.”
Included within the solution is the ability to protect users against malicious URLs or web links within an e-mail or document. It achieves this by referencing a database of known malicious sites. If the link is proven to be malicious, it will block the end user from getting to the destination. In addition, Microsoft Defender for Office 365 will analyse any files referenced by these links in the same way.
Microsoft Defender for Office 365 also includes protection against phishing attacks. It uses extensive machine learning models to understand when and who you typically communicate with to detect impersonation attempts.
Phishing attacks are on the rise and can be very effective in encouraging end users to surrender their credentials or other types of data. Having protection in place to help mitigate this risk is an important part of your security strategy.
Learn about the key features of Microsoft's new holistic solution for extended detection and response (XDR) – and see it in action! We'll show you:
Microsoft Defender for Identity predominately focuses on protecting your identities. It’s a cloud-based solution with some on-premises components (typically agents) that aim to analyse the information that flows to and from your local Active Directory domain controllers.
It’s also integrated with the Microsoft Security Graph (as it’s cloud-based) meaning that it benefits from wider security telemetry and intelligence.
“When activities occur that are out of the norm, alerts are generated for further investigation.”
It will alert you to typical attack techniques, such as ‘pass the hash’ or ‘pass the ticket’ – techniques that attackers use to move laterally within your organisation.
Microsoft Defender for Identity also alerts you to uncharacteristic user activities. It achieves this by building detailed activity models that describe a user’s normal behaviour. When activities occur that are out of the norm, alerts are generated for further investigation.
Microsoft Defender for Identity is Microsoft’s offering in the User and Entity Behavioural Analytics (UEBA) area.
Microsoft continually adds new detections to Defender for Identity as new malicious techniques are discovered.
Hopefully, you now understand what the Microsoft Defender technologies are and what they aim to do.
Whilst they are powerful technologies in their own right, they become even more powerful when you use them all together. This way they can share data and perform activities to prevent further attacks.
An example of this is where Microsoft Defender for Endpoint detects and confirms a malicious process, it will seek and destroy the processes and inform Microsoft Defender for Office 365 to retrospectively remove the originating piece of malware from users’ mailboxes. From an investigative perspective, you can also view activities throughout the attack chain, giving you the insight you need to deal with the incident.
Microsoft continues to add new technologies to their security suite, such as their cloud-native SIEM solution, Azure Sentinel.
Azure Sentinel can consume and aggregate signals from almost all systems and provide added layers of machine learning and artificial intelligence to ensure that you only receive alerts that you need to take action on. Furthermore, you can automate responses to these to enable you to react quickly in the event of a security-related incident.
Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.
As head of our Mobility & Security practice, Mat’s responsibilities include ensuring that our technical knowledge and delivery capability are fully up to speed and current, as well as creating a...
READ AUTHOR'S FULL BIO
See the key features of Microsoft’s extended detection and response (XDR) solution in action.Watch now
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.